This comment has been minimized.

It might be useful to also support the @ALL group for the users field in order to restrict read access to a particular repository for any additional users that get added to a project (Explicit permission as opposed to implicit permission).